Skip to content
Evershell Docs

PromQL-shaped aggregation over the audit log

GET
/audit/stats
 
curl --request GET \
  --url 'https://your-org.evershell.ai/v1/audit/stats?time_bucket=auto&metric=count' \
  --header 'Authorization: Bearer <token>'

Permissions: audit:read or audit:read:own — same narrowing semantics as GET /audit.

Flexible aggregation endpoint — dimensions × metric × filters. Used by the console’s Insights dashboard for token / latency / decision breakdowns. The query model:

  • group_by — comma-separated categorical dimensions (e.g. decision,event_type)
  • time_bucketauto, 5m, 15m, 1h, 6h, 1d. Adds a time series dimension.
  • bucket_by — numeric range buckets on one column: column:b1,b2,... (e.g. latency_ms:10,50,100,250,500)
  • metric — defaults to count. Examples: sum:debits.output_tokens, avg:latency_ms.
  • top — limit to top N of one dim: N:dimension (e.g. 10:destination).
  • filter — same syntax as /audit?filter=....

See the Audit events doc for the dimension whitelist and metric grammar.

Authorizations

Section titled “Authorizations ”

Parameters

Section titled “ Parameters ”

Query Parameters

Section titled “Query Parameters ”
group_by
string
time_bucket
string
Allowed values: auto 5m 15m 1h 6h 1d
bucket_by
string
metric
string
default: count
top
string
filter
Array<string>
from
string format: date-time
to
string format: date-time

Responses

Section titled “ Responses ”

200

Section titled “200 ”

OK

Media type application/json
object
buckets
required
Array<object>
object
group
required

Map of dimension name → value for this row.

object
key
additional properties
string
bucket

Time-bucket boundary (when time_bucket is set) or numeric range label (when bucket_by is set).

string
value
required

The aggregated metric value (count, sum, avg).

number
Example generated
{
  "buckets": [
    {
      "group": {
        "additionalProperty": "example"
      },
      "bucket": "example",
      "value": 1
    }
  ]
}

400

Section titled “400 ”

Invalid query (unknown dimension / bad metric grammar).

Media type application/json
object
error
required
object
code
required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string
message
required

Human-readable summary

string
request_id
required

Server-generated request id for correlating logs

string
details

Optional structured context. Validation errors land at details.fields as a per-field map.

object
key
additional properties
any
Example 
{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}